Tech Giants' NSA Deal Leaves Start-Ups in the Shadows

A group of U.S. technology giants has struck a deal with the Obama administration that allows the companies to disclose more details on customer data turned over to government agencies such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI). But the fine print in the agreement leaves smaller companies such as start-ups with greater restrictions on when they can publicly reveal national security data requests for their users' data.

Before the new agreement, companies were prohibited by law from disclosing any information on Foreign Intelligence Surveillance Act (FISA) orders requiring them to turn over customer data. The companies were allowed to disclose only the number of National Security Letters, which are issued primarily by the FBI independent of the legal court system, but not the more controversial FISA warrants. This restriction led a coalition of Internet companies to pressure the Obama administration for more transparent data-disclosure rules. More transparency would help the companies reassure their users that they're sharing data with the government only when legally required.

The new disclosure rules also allow the tech giants to reveal government requests more often than before, according to the New York Times. In exchange, Google, Microsoft, Yahoo, LinkedIn, and Facebook agreed to drop a lawsuit demanding more transparency before the Foreign Intelligence Surveillance Court, known as FISA court, which oversees surveillance warrants. Yet the deal also effectively prohibits companies less than two years old from disclosing such requests for a period of two years—a move that could hurt start-ups by leaving their customers in the dark on possible government surveillance.

Under the new agreement announced Monday by Attorney General Eric Holder and Director of National Intelligence James Clapper, companies older than two years old can disclose the rough number of FISA orders they receive. Such disclosures can only appear as increments of 1,000 or as increments of 250 if lumping together FISA requests and National Security Letters. The agreement permits companies to disclose such national security data requests every six months. Companies can also disclose the number of "selectors," such as usernames, email addresses, or Internet addresses, that a government agency requested.

But companies must delay disclosures for two years in the case of new government surveillance efforts covering "a platform, product, or service (whether developed or acquired) for which the company has not previously received such an order,” according to The Guardian. That condition effectively prevents start-ups from disclosing anything for two years.

Ladar Levison, founder of the Lavabit email service used by Edward Snowden, told the Timeshe worried about the new deal casting a dark shadow over start-ups without doing much for tech giants' transparency. Lavabit is currently making its case before a U.S. federal appeals court after it shut down last year to avoid a court order to hand over its private SSL (secure socket layer) keys, according to PC World.

David Snead, co-founder of the i2Coalition, a trade association representing the Internet infrastructure industry, also pointed out how the new disclosure rules hurt medium and small tech companies in a Time Magazine interview.

"For example, this lack of specificity may make it appear that a small company has received as many as 999 requests for data when in fact they received few or even none. Ironically, these new rules may be an incentive for small and medium companies not to report at all, thus giving the appearance that the company is hiding something."

The new transparency deal resulted from the political fallout surrounding the Snowden leaks regarding NSA surveillance programs. Such leaks revealed how the NSA has scooped up millions of records every day from the internal networks of tech giants such as Google and Yahoo. They also revealed how the agency has collected cellphone location data from around the world.

A worldwide backlash in the wake of the revelations has already hurt the public image of everyone from the U.S. National Institute of Standards and Technology—responsible for overseeing cryptography standards—to the U.S. tech industry at large. Forrester Research estimated that the U.S. cloud computing industry stands to lose as much as $180 billion by 2016. And countries such as Germany and Brazil have begun considering the creation of national Internets to shield themselves against foreign surveillance.

Comments

IEEE Spectrum’s general technology blog, featuring news, analysis, and opinions about engineering, consumer electronics, and technology and society, from the editorial staff and freelance contributors.